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CCNA Security Lab 7 - Using ACLs to secure access to Cisco IOS routers - 
CLI 

Lab 7 

Using ACLs to secure access to Cisco IOS routers 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
implement ACLs to secure access to Cisco IOS routers. 

Lab Purpose: 

ACLs can be used to prevent unauthorized hosts and subnets from gaining access 
to Cisco IOS routers in numerous methods. 

Lab Difficulty: 

This lab has a difficulty rating of 5/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



NOTE: 

The purpose of this lab is to understand the configuration commands. You are not required to test the 
configuration as the complexity is beyond the scope of the CCNA Security. 


Lab 7 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. 

Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your 
configuration and ensure that the two routers have IP connectivity. 

Task 2: 

On Rl, configure an ACL for the VTY lines that performs the following: 










Denies Telnet and SSH traffic from the RFC 1918 subnets to R1 
Denies Telnet and SSH traffic from the 127.0.0.0/8 subnet to R1 

Permits Telnet and SSH traffic from all other subnets. This permit must be logged in detail. 

The VTY lines should be secured by the password cisco and provide Level 15 access by defau 

Task 3: 

Configure the following interfaces on R2: 

Interface Address Mask 

Loopbackl60 160.1.1.2 /27 
Loopbackl70 170.1.1.2 /22 
Loopbackl80 180.1.1.2 /19 

Task 4: 

Configure anti-spoofing ACLs on R2 that performs the following: 

Inbound 

Denies the 127.0.0.0/8 address space and provides detailed logging 

Denies the Loopbackl60, Loopbackl70 and Loopbackl80 address space without logging 

Permits all other IP traffic 

Outbound 

Permits the Loopbackl60, Loopbackl70 and Loopbackl80 address space 
Denies the RFC 1918 address space and provides detailed logging 

Task 5: 

Configure an ACL on R1 to restrict HTTP and HTTPS access as follows: 

Allow HTTP from the 192.168.0.0/24 subnet 
Deny HTTP from the 192.168.1.0/24 subnet 
Deny HTTP from the 127.0.0.0/8 subnet 
Allow HTTP from all other subnets 

Lab 7 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 
Rl(config)#int sO/O 

Rl(config-if)#ip add 150.1.1.1 255.255.255.0 

Rl(config-if)#no shutdown 

Rl(config-if)#exit 

Rl(config)#exit 

Rl# 

Router(config)#hostname R2 
R2(config)#int sO/O 
R2(config-if)#clock rate 512000 

R2(config-if)#ip address 150.1.1.2 255.255.255.252 

R2(config-if)#no shutdown 



R2 (co nfig -if)# exit 

R2(config)#exit 

R2# 

R2#ping 150.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 

Task 2: 

Rl(config)#ip access-list extended VTY-SECURITY 
Rl(config-ext-nacl)#deny tcp 10.0.0.0 0.255.255.255 any eq telnet 
Rl(config-ext-nacl)#deny tcp 10.0.0.0 0.255.255.255 any eq 22 
Rl(config-ext-nacl)# deny tcp 172.16.0.0 0.15.255.255 any eq telnet 
Rl(config-ext-nacl)# deny tcp 172.16.0.0 0.15.255.255 any eq 22 
Rl(config-ext-nacl)#deny tcp 192.168.0.0 0.0.255.255 any eq telnet 
Rl(config-ext-nacl)#deny tcp 192.168.0.0 0.0.255.255 any eq 22 
Rl(config-ext-nacl)#deny tcp 127.0.0.0 0.255.255.255 any eq telnet 
Rl(config-ext-nacl)#deny tcp 127.0.0.0 0.255.255.255 any eq 22 
Rl(config-ext-nacl)#permit tcp any any eq telnet log-input 
Rl(config-ext-nacl)#permit tcp any any eq 22 log-input 
Rl(config-ext-nacl)#exit 
Rl(config)#line vty 0 4 

Rl(config-line)#access-class VTY-SECURITY in 

Rl(config-line)#password cisco 
Rl(config-line)#privilege level 15 

Rl(co nfig-line)# login 
R1 (co nfig-line )#exit 
Rl(config)#exit 
Rl# 

Task 3: 

R2(config)#int loopback 160 

R2(co nfig-if)#ip address 160.1.1.2 255.255.255.224 

R2 (co nfig -if)#exit 
R2(config)#int loopback 170 





R2(co nfig-if)# ip address 170.1.1.2 255.255.252.0 

R2 (co nfig -if)#exit 
R2(config)#int loopback 180 

R2(co nfig-if)#ip address 180.1.1.2 255.255.224.0 

R2 (co nfig -if)#exit 

R2(config)#exit 

R2# 

Task 4: 

R2(config)#ip access-list extended ANTI-SPOOF-IN 
R2(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any log-input 
R2(config-ext-nacl)#deny ip 160.1.1.0 0.0.0.31 any 
R2(config-ext-nacl)#deny ip 170.1.0.0 0.0.3.255 any 
R2(config-ext-nacl)#deny ip 180.1.0.0 0.0.31.255 any 
R2(config-ext-nacl)#permit ip any any 
R2(config-ext-nacl)#exit 

R2(config)#ip access-list extended ANTI-SPOOF-OUT 
R2(config-ext-nacl)#permit ip 160.1.1.0 0.0.0.31 any 
R2(config-ext-nacl)#permit ip 170.1.0.0 0.0.3.255 any 
R2(config-ext-nacl)#permit ip 180.1.0.0 0.0.31.255 any 
R2(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any log-input 
R2(config-ext-nacl)#deny ip 172.16.0.0 0.0.15.255 any log-input 
R2(config-ext-nacl)#no deny ip 172.16.0.0 0.0.15.255 any log-input 
R2(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any log-input 
R2(config-ext-nacl)#exit 
R2(config)#int s0/0 

R2(config-if)#ip access-group ANTI-SPOOF-IN in 
R2(config-if)#ip access-group ANTI-SPOOF-OUT out 

R2 (co nfig -if)#exit 

R2(config)#exit 

R2# 

R2#show ip interface serial 0/0 

SerialO/O is up, line protocol is up 
Internet address is 150.1.1.1/30 
Broadcast address is 255.255.255.255 
Address determined by setup command 



MTU is 1500 bytes 

Helper address is not set 

Directed broadcast forwarding is disabled 

Outgoing access list is ANTI-SPOOF-OUT 
Inbound access list is ANTI-SPOOF-IN 

Proxy ARP is enabled 
—[Truncated Output]- 

Task 5: 

Rl(config)#access-list 50 remark "This is my HTTP/HTTPS ACL" 

Rl(config)#access-list 50 permit 192.168.0.0 0.0.0.255 

Rl(config)#access-list 50 deny 192.168.1.0 0.0.0.255 

Rl(config)#access-list 50 deny 127.0.0.0 0.255.255.255 

Rl(config)#access-list 50 permit any 

Rl(config)#ip http server 

Rl(config)#ip http secure-server 

Rl(config)#ip http access-class 50 

Rl(config)#exit 

Rl# 

Lab 7 Configurations 
Rl Configuration 

Rl#show run 
Building configuration... 

Current configuration : 1494 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname Rl 
! 

boot-sta rt-ma rke r 


boot-end-ma rker 




no logging console 


no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 


multilink bundle-name authenticated 


crypto pki trustpoint TP-self-signed-3473940174 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-3473940174 
revocation-check none 
rsakeypair TP-self-signed-3473940174 
! 

! 

crypto pki certificate chain TP-self-signed-3473940174 
certificate self-signed 01 

3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30343433 
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 
34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F 
CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 


E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 



19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 
70A90203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 
551D1104 06300482 02523230 1F060355 1D230418 30168014 4020A082 2373EFEF 
CD379B8C 2A1A4D13 43842D59 301D0603 551D0E04 16041440 20A08223 73EFEFCD 
379B8C2A 1A4D1343 842D5930 0D06092A 864886F7 0D010104 05000381 81003F41 
884FE500 E8EBCBF8 9711C10F 6A1F4110 B850B68D A84DDFDD D14EC73A 06B47781 
3B4CAB5E 05FE96F9 AEEFD074 A49AD426 D830B3E4 468D5D98 1ADAC3C5 04958145 
E99C3B0C 218EFD94 6780FE45 5AA6E608 19E067B7 A582601C 280AE0A1 135ADF47 
35016D1C 6F6A7252 A054845B BF16FCA8 7873C9B3 62E09894 AC5C4375 FADB 
quit 

! 

! 

archive 
log config 
hidekeys 


interface FastEthernetO/O 
no ip address 
duplex auto 
speed auto 
! 

interface Serial0/0 

ip address 150.1.1.1 255.255.255.252 
! 

ip forward-protocoI nd 


ip http server 

ip http access-class 50 



ip http secure-server 


ip access-list extended VTY-SECURITY 
deny tcp 10.0.0.0 0.255.255.255 any eq telnet 
deny tcp 10.0.0.0 0.255.255.255 any eq 22 
deny tcp 172.16.0.0 0.15.255.255 any eq telnet 
deny tcp 172.16.0.0 0.15.255.255 any eq 22 
deny tcp 192.168.0.0 0.0.255.255 any eq telnet 
deny tcp 192.168.0.0 0.0.255.255 any eq 22 
deny tcp 127.0.0.0 0.255.255.255 any eq telnet 
deny tcp 127.0.0.0 0.255.255.255 any eq 22 
permit tcp any any eq telnet log-input 
permit tcp any any eq 443 log-input 
! 

access-list 50 remark "This is my HTTP/HTTPS ACL" 
access-list 50 permit 192.168.0.0 0.0.0.255 
access-list 50 deny 192.168.1.0 0.0.0.255 
access-list 50 deny 127.0.0.0 0.255.255.255 
access-list 50 permit any 


control-plane 


line con 0 
line aux 0 
line vty 0 4 

access-class VTY-SECURITY in 
privilege level 15 
password cisco 
login 



end 


R2 Configuration 

R2#sh run 

Building configuration... 

Current configuration : 1502 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-start-ma rker 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 
! 

! 

! 

! 

no ip domain lookup 

i 


multilink bundle-name authenticated 



archive 


log config 
hidekeys 


interface Loopbackl60 
ip address 160.1.1.2 255.255.255.224 
! 

interface Loopbackl70 
ip address 170.1.1.2 255.255.252.0 
! 

interface Loopbackl80 
ip address 180.1.1.2 255.255.224.0 
! 

interface FastEthernetO/O 
no ip address 
duplex auto 
speed auto 
! 

interface Serial0/0 

ip address 150.1.1.1 255.255.255.252 
ip access-group ANTI-SPOOF-IN in 
ip access-group ANTI-SPOOF-OUT out 
clock rate 512000 
! 

ip forward-protocoI nd 


ip http server 



ip http authentication local 
no ip http secure-server 
! 

ip access-list extended ANTI-SPOOF-IN 

deny ip 127.0.0.0 0.255.255.255 any log-input 

deny ip 160.1.1.0 0.0.0.31 any 

deny ip 170.1.0.0 0.0.3.255 any 

deny ip 180.1.0.0 0.0.31.255 any 

permit ip any any 

ip access-list extended ANTI-SPOOF-OUT 

permit ip 160.1.1.0 0.0.0.31 any 

permit ip 170.1.0.0 0.0.3.255 any 

permit ip 180.1.0.0 0.0.31.255 any 

deny ip 10.0.0.0 0.255.255.255 any log-input 

deny ip 172.16.0.0 0.15.255.255 any log-input 


control-plane 


line con 0 
line aux 0 
line vty 0 4 
password cisco 
login 
! 

! 

end 
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